PCANDIS5.SYS - Trojan horse Generic10.ASPV

  • Thread starter Thread starter RJK
  • Start date Start date
R

RJK

....whilst in the middle of writing my Aunty an email, Windows Defender
decided to fire up and do a sweep,
and as soon as it started up, up popped AVG 8.0 "Threat Detected,"

....false positive ?
....should I upload C:\Windows\system32\PCANDIS5.SYS to Virus Total ?
AVG 8.0 has never complained about this file before now !

regards, Richard
 
http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64
mmm ?
...what to do ?


"RJK" wrote in message
news:O4rz7zJ2IHA.4920@TK2MSFTNGP05.phx.gbl...
> ...whilst in the middle of writing my Aunty an email, Windows Defender
> decided to fire up and do a sweep,
> and as soon as it started up, up popped AVG 8.0 "Threat Detected,"
>
> ...false positive ?
> ...should I upload C:Windowssystem32PCANDIS5.SYS to Virus Total ?
> AVG 8.0 has never complained about this file before now !
>
> regards, Richard
>
 
Hi,

...how on earth does one copy and paste from a CMD box ?!
....back to DOS ! ....

IPCONFIG /ALL > c:\ipconfig.txt
Windows IP Configuration
Host Name . . . . . . . . . . . . : presler
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.55
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08
Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08

....moan.... ....quick rummage in the router :-
WAN IP address : 84.71.149.185
Gateway : 62.25.195.21
Primary DNS server : 195.92.195.94
Secondary DNS server : 195.92.195.95

....anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and
I've never read such a load of rubbish in my life.
....can't get a grip on what the darned file is for, where it came from
....and if I even need it ? !!!
http://www.file.net/process/pcandis5.sys.html

File name: Pcandis5.sys
Product name: PCAUSA Rawether for Windows
Description: PCAUSA NDIS 5.0 Protocol Driver
Company: Printing Communications Assoc., Inc. (PCAUSA)


.....I don't think I've got anything that came from them. !!!
....AVG 8.0 which has been running a scan has just decided to destroy
another copy of it in a restore point !!

regards, Richard


"David H. Lipman" wrote in message
news:OIFWRsK2IHA.6096@TK2MSFTNGP06.phx.gbl...
> From: "RJK"
>
> | http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64
> | mmm ?
> | ..what to do ?
>
> CAT-QuickHeal 9.50 2008.06.26 Trojan.DNSChanger.ewf
>
> Assuming the above...
>
> In a Command Prompt type IPCONFIG /ALL
>
> Copy and paste your DNS Servers.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
From: "RJK"

| Hi,

| ...how on earth does one copy and paste from a CMD box ?!
| ...back to DOS ! ....

| IPCONFIG /ALL > c:\ipconfig.txt
| Windows IP Configuration
| Host Name . . . . . . . . . . . . : presler
| Primary Dns Suffix . . . . . . . :
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : No

| Ethernet adapter Local Area Connection:
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
| Ethernet NIC
| Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85
| Dhcp Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.1.55
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 192.168.1.1
| DHCP Server . . . . . . . . . . . : 192.168.1.1
| DNS Servers . . . . . . . . . . . : 192.168.1.1
| Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08
| Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08

| ...moan.... ....quick rummage in the router :-
| WAN IP address : 84.71.149.185
| Gateway : 62.25.195.21
| Primary DNS server : 195.92.195.94
| Secondary DNS server : 195.92.195.95

| ...anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and
| I've never read such a load of rubbish in my life.
| ...can't get a grip on what the darned file is for, where it came from
| ...and if I even need it ? !!!
| http://www.file.net/process/pcandis5.sys.html

| File name: Pcandis5.sys
| Product name: PCAUSA Rawether for Windows
| Description: PCAUSA NDIS 5.0 Protocol Driver
| Company: Printing Communications Assoc., Inc. (PCAUSA)


| ....I don't think I've got anything that came from them. !!!
| ...AVG 8.0 which has been running a scan has just decided to destroy
| another copy of it in a restore point !!

| regards, Richard



Based upon your reply, your DNS servers haven't been altered to something like 85.255.x.y
which is a sign of a DNSChanger Trojan. Your Router get the DNS Servers from the ISP and
you get the DNS Service via the Router.

However, %windir%\system32\PCANDIS5.SYS is too legitimate. *.SYS files, drivers, belong
in %windir%\system32\drivers

If you'd like, you can email me a sample and I will have my "peers" check out the file.

In the meantime, search the Registry for PCANDIS5.SYS and see if it is being loaded and
from where and post back the results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Thanks again,

It's a job to handle PCANDIS5.SYS, AVG keeps grabbing hold of it !
....searching registry:-
....found keys -
HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\C:\WINDOWS\system32\PCANDIS5.sys
HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys\C:\WINDOWS\system32\PCANDIS5.sys
..... all seems to be okay ?

Key Name:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
Class Name:
Last Write Time: 6/28/2008 - 1:50 PM
Value 0
Name: a
Type: REG_SZ
Data: C:\WINDOWS\system32\PCANDIS5.sys

etc. ...recently handled files ?

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5
Class Name:
Last Write Time: 6/28/2008 - 9:57 AM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x1

Value 1
Name: Start
Type: REG_DWORD
Data: 0x3

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x1

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\system32\PCANDIS5.SYS

Value 4
Name: DisplayName
Type: REG_SZ
Data: PCANDIS5 NDIS Protocol Driver

Value 5
Name: Group
Type: REG_SZ
Data: PNP_TDI


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5\Security
Class Name:
Last Write Time: 5/6/2008 - 11:09 PM
Value 0
Name: Security
Type: REG_BINARY
Data:
00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00
.................
00000010 30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00
0...............
00000020 ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00
ÿ...............
00000030 02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00
...`.........ý...
00000040 01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00
.................
00000050 ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ...........
....
00000060 20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00
................
00000070 00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00
.............ý...
00000080 01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00 ........
....#...
00000090 01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00
.................
000000a0 00 00 00 05 12 00 00 00 - ........


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5\Enum
Class Name:
Last Write Time: 6/28/2008 - 9:57 AM
Value 0
Name: 0
Type: REG_SZ
Data: Root\LEGACY_PCANDIS5\0000

Value 1
Name: Count
Type: REG_DWORD
Data: 0x1

Value 2
Name: NextInstance
Type: REG_DWORD
Data: 0x1


....NEXT :-)

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PCANDIS5
Class Name:
Last Write Time: 6/28/2008 - 9:57 AM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x1

Value 1
Name: Start
Type: REG_DWORD
Data: 0x3

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x1

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\system32\PCANDIS5.SYS

Value 4
Name: DisplayName
Type: REG_SZ
Data: PCANDIS5 NDIS Protocol Driver

Value 5
Name: Group
Type: REG_SZ
Data: PNP_TDI


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PCANDIS5\Security
Class Name:
Last Write Time: 5/6/2008 - 11:09 PM
Value 0
Name: Security
Type: REG_BINARY
Data:
00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00
.................
00000010 30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00
0...............
00000020 ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00
ÿ...............
00000030 02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00
...`.........ý...
00000040 01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00
.................
00000050 ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ...........
....
00000060 20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00
................
00000070 00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00
.............ý...
00000080 01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00 ........
....#...
00000090 01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00
.................
000000a0 00 00 00 05 12 00 00 00 - ........

....even though I haven't a clue as to what all this lot is, Upnp seems to be
cropping up !
....recently I switched off Upnp, ...perphaps I should switch it back on !

....I think I give up !

regards, Richard
 
From: "RJK"

| Thanks again,

| It's a job to handle PCANDIS5.SYS, AVG keeps grabbing hold of it !
| ...searching registry:-
| ...found keys -
| HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\C:\
| WINDOWS\system32\PCANDIS5.sys
| HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys\C:\
| WINDOWS\system32\PCANDIS5.sys
| .... all seems to be okay ?

< snip >

| regards, Richard

Have you updated your signatures and rescanned ?
I came across another thread that indicated updated signature scan no longer detected the
Generic Trojan and thus was most likely a FP.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Hi,

I think I'll restore boot drive image taken 27/06/08, which I think I took
before AVG got nasty about pcandis5.sys :-)
....first I may try to restore just that file from that hd image, will then
rescan ...I think first with heuristics switched off.

It may sound daft but, all the while digging around on this subject, it
feels like a false positive.
....will post outcome.

Thanks for your input

regards, Richard
 
....just restored pcandis5.ssy from hd image 27/06/08, and rescanned it with
AVG - nothing found. (heuristics on btw)
Jus resubmitted it to VirusTotal:-
http://www.virustotal.com/analisis/4592c73...d7d89ccd10c3c82
....AVG now finds nothing wrong with it !
CAT-QuickHeal still does not like the file !

....seems like I made all that fuss about nothing ! :-)

many thanks again for your help,

regards, Richard






"RJK" wrote in message
news:%233Q2FHU2IHA.528@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> I think I'll restore boot drive image taken 27/06/08, which I think I took
> before AVG got nasty about pcandis5.sys :-)
> ...first I may try to restore just that file from that hd image, will then
> rescan ...I think first with heuristics switched off.
>
> It may sound daft but, all the while digging around on this subject, it
> feels like a false positive.
> ...will post outcome.
>
> Thanks for your input
>
> regards, Richard
>
 
....draned keyboard ssy=sys !

regards, Richard


"RJK" wrote in message
news:Or1epNU2IHA.4936@TK2MSFTNGP05.phx.gbl...
> ...just restored pcandis5.ssy from hd image 27/06/08, and rescanned it
> with AVG - nothing found. (heuristics on btw)
> Jus resubmitted it to VirusTotal:-
> http://www.virustotal.com/analisis/4592c73...d7d89ccd10c3c82
> ...AVG now finds nothing wrong with it !
> CAT-QuickHeal still does not like the file !
>
> ...seems like I made all that fuss about nothing ! :-)
>
> many thanks again for your help,
>
> regards, Richard
>
>
>
>
>
>
> "RJK" wrote in message
> news:%233Q2FHU2IHA.528@TK2MSFTNGP02.phx.gbl...
>> Hi,
>>
>> I think I'll restore boot drive image taken 27/06/08, which I think I
>> took before AVG got nasty about pcandis5.sys :-)
>> ...first I may try to restore just that file from that hd image, will
>> then rescan ...I think first with heuristics switched off.
>>
>> It may sound daft but, all the while digging around on this subject, it
>> feels like a false positive.
>> ...will post outcome.
>>
>> Thanks for your input
>>
>> regards, Richard
>>
>
>
 
Back
Top